Authlogic

Authlogic is a clean, simple, and unobtrusive ruby authentication solution.

It introduces a new type of model. You can have as many as you want, and name them whatever you want, just like your other models. In this example, we want to authenticate with the User model, which is inferred by the name:

sets up the proper session values and cookies to persist the session (i.e. saving the record).

You can also log out (i.e. destroying the session):

session.destroy

After a session has been created, you can persist it (i.e. finding the record) across requests. Thus keeping the user logged in:

session=UserSession.find

To get all of the nice authentication functionality in your model just do this:

classUser<ActiveRecord::Baseacts_as_authenticdo|c|c.my_config_option=my_valueend# the configuration block is optionalend

This handles validations, etc. It is also "smart" in the sense that it if a login field is present it will use that to authenticate, if not it will look for an email field, etc. This is all configurable, but for 99% of cases that above is all you will need to do.

You may specify how passwords are cryptographically hashed (or encrypted) by setting the Authlogic::CryptoProvider option:

c.crypto_provider=Authlogic::CryptoProviders::BCrypt

You may validate international email addresses by enabling the provided alternate regex:

Authlogic::ActsAsAuthentic, which adds in functionality to your ActiveRecord model when you call acts_as_authentic.

Each of the above has its various sub modules that contain common logic. The sub modules are responsible for including everything related to it: configuration, class methods, instance methods, etc.

For example, if you want to timeout users after a certain period of inactivity, you would look in Authlogic::Session::Timeout. To help you out, I listed the following publicly relevant modules with short descriptions. For the sake of brevity, there are more modules than listed here, the ones not listed are more for internal use, but you can easily read up on them in the documentation.

Example migration

If you want to enable all the features of Authlogic, a migration to create a
+User+ model, for example, might look like this:

CSRF Protection

Because Authlogic introduces its own methods for storing user sessions, the CSRF (Cross Site Request Forgery) protection that is built into Rails will not work out of the box.

No generally applicable mitigation by the authlogic library is possible, because the instance variable you use to store a reference to the user session in def current_user_session will not be known to authlogic.

You will need to override ActionController::Base#handle_unverified_request to do something appropriate to how your app handles user sessions, e.g.:

Testing

Tell me quickly how Authlogic works

Interested in how all of this all works? Think about an ActiveRecord model. A database connection must be established before you can use it. In the case of Authlogic, a controller connection must be established before you can use it. It uses that controller connection to modify cookies, the current session, login with HTTP basic, etc. It connects to the controller through a before filter that is automatically set in your controller which lets Authlogic know about the current controller object. Then Authlogic leverages that to do everything, it's a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the tools your framework provides in the controller object.

Copyright (c) 2012 Ben Johnson of Binary Logic, released under the MIT license